Sunday, October 25, 2015

Putting your kettle on the Internet of Things makes your wifi passwords an open secret (plus Izabella Kaminska does a driveby)

From boing boing:

The $150 Smarter Ikettle lets you start your water boiling from anywhere
in the world over the Internet -- and it also contains long-term
serious security vulnerabilities that allow attackers to extract your
wifi passwords from it.

To connect to the Internet, the Ikettle needs to know your wifi
password, which it stores in the clear in its memory. The kettle is also
naive enough to connect to any network that has the same name as yours.
So all an attacker has to do is use a specialized antenna to overpower
your wifi signal, right through the walls of your house, and trick the
kettle into connecting to their spoof network, and then they can extract
your wifi password and connect to your network.

There are a few steps you can take to improve this situation, but
ultimately, the Ikettle is just a badly secured device that shouldn't be
on the same network as sensitive items like home burglar alarm cameras,
networked thermostats, and the phones and laptops you use to access
sensitive services.

The researchers at Pen Test Partners have pointed this out to Smarter for a year, but no fix has emerged for it.

The Ikettle's lack of security isn't remarkable in the badly secured
world of the Internet of Things, where security is an afterthought, and
often not auditable thanks to the widespread use of digital rights
management, which gives companies the right to sue people who disclose
security vulnerabilities.

If you have a Wi-Fi kettle, a hacker can drive past your house and steal
your Wi-Fi key (the PSK).
This is REALLY easy if you use the Android app to control your kettle.
If you use the iPhone app, it takes a little longer.
If you haven’t configured the kettle, it’s trivially easy for hackers to
find your house and take over your kettle. Check out our map of some
unconfigured iKettles locations in West London...MORE

An Uber self-driving electric car has just dropped you home. Your
front door has recognised your face, and your fingerprint has
authenticated that it’s definitely you. You get into your house, not a
key in sight, kick off your shoes, and happily discover that the 3D
printing feature in your fridge has already printed the food you plan to
consume for dinner. All the appliances you need are on. And everything
you don’t need is off, nice and efficiently saving power.

You decide to treat yourself to a quick 30-minute Netflix holographic
update, only to get a nudge from your wearable tech that you’ve still
got a 10 minute exercise deficit to meet your daily exercise quota. It’s
a problem because you happen to have signed up to the extreme health
management option which shuts down ApplePay access — without which
Netflix won’t work — if you fail to meet your objectives. You quickly
get busy on your smart-grid connected treadmill (which conveniently
sells off the energy produced by your system back into the grid).

When all of a sudden… your utility door flings open and your iRobot Roomba begins singing Daisy, Daisy....MORE

But do you know why your Roomba is singing Daisy?
It's an homage to an homage to the first singing computer: